Dark Nexus IoT Botnet: Analyzing and Detecting its Network Activity

The massive presence of unprotected IoT devices is providing many opportunities for malicious threat actors. Most of these devices are plug-and-play and do not require any kind of configuration, making security optional.

In fact, manufacturers ship the devices with default passwords that are publicly known, providing easy access to the configuration panel for new users. If such passwords are not replaced with new, strong ones, they provide the first entry vector used by attackers.

Attackers who compromise a high number of IoT devices usually create botnets to trigger DDoS (distributed denial-of-service) attacks with the goal of disabling systems for hacktivism or financial gain. 

Our team of security researchers at Nozomi Networks Labs analyzed several variants of the IoT botnet dubbed Dark Nexus. It is a new IoT botnet that has come to prominence in the last few months and its capabilities have been thoroughly discussed by Bitdefender researchers. ^[1]

We analyzed its network behavior, which we describe in this post, and provide a detection signature to help protect IoT, OT and IT networks.

IoT Botnet Dark Nexus: Three Categories of Network Activity

The Dark Nexus bot leaves a hefty network trail that can be broadly divided into three categories:

• C&C (command and control) communication
• Self-propagation
• DDoS attacks

Though self-propagation and DDoS attacks could be a single category, their final goals are very different, so we prefer to analyze them separately. To properly commandeer the bot in our lab, we wrote a replacement for the C&C server that allowed us to trigger network activity in a controlled manner.

While the bot carefully analyzes the system it is executing in, and kills suspicious processes that might hinder its activities, the most delicate section remains the network parsing code. This is a critical feature for a botnet, since a bug in this area might lead to catastrophic consequences for the threat actor. The botnet itself could become vulnerable to DDos attacks or be completely taken over by a different hacking group.

We analyzed each of the three categories of Dark Nexus’ activity.

C&C Communication Aims to Download Latest Version

Once a device is infected, it performs a GET request to retrieve its IP:

GET / HTTP/1.1
Host: icanhazip.com

It then goes on to send a registration message to the C&C server in the following format:

\x10[first_argument] \x11[architecture] \x12[version] \x13[reverse proxy random port] \x14[socks proxy random port]

In the example shown above, the 6.6 version of the malicious binary was executed with argv[1] set to “new_vector”, running on an ARM7 CPU. A question mark character is sent if no arguments are provided. The binary randomly chose port 52750 to run its reverse proxy and port 50999 to run a SOCKS proxy.

The following Snort rule can be used by everyone in the security community to detect such traffic: 

# Created by Nozomi Networks Labs
alert tcp any any -> any 30047 (msg:"Detected dark_nexus Botnet CnC Beacon"; flow:established,to_server; content:"|10|"; depth:1; pcre:"/\x11(arm|arm5|arm6|arm7|mips|mpsl|arc|ppc|x86|i586|i686|m68k|sh4|spc)\x12\d+\.\d+\x13\d+\x14\d+$/"; fast_pattern; sid:9000085; metadata:created_at 2020_05_06;)

Furthermore, the binary tries to download new versions of itself for all available architectures to ensure execution of its latest code.

Self-propagation Using Telnet, Port 23 and Random IPs

Telnet brute-forcing is a typical method of propagation among IoT botnets. Dark Nexus uses the get_random_ip function to generate random IPs, making sure to avoid certain IP ranges (invalid, localhost, certain companies). The function is very similar to the get_random_ip function found in leaked Mirai source code. ^[2]

 A SYN packet is then sent to the random IP with a destination port of 23. If the telnet service happens to be running and is reachable, a list of stored credentials is used to attempt to login successfully. Most of the stored credentials have been taken from public sources, such as the leaked Mirai source code, but there’s evidence that the author is adding new credentials from one version to another.

From a blue team perspective, the telnet scan capability, as simple as it is, underlines the need to avoid full internet exposure for devices that don’t strictly require it. 

DDoS Attacks Use Multiple Functions and Generate Network Traffic

The versions of the malware we examined contained the following attack functions:

• attack_udp_simple
• attack_tcp_raw
• attack_http
• browser_http_req
• attack_udpmop
• attack_udp_plain
• attack_tcp
• attack_ovh

Analysis of the parse_packet function, which is responsible for parsing attack commands received from C&C, resulted in the following message sent from our emulated C&C to the infected host to trigger attack_udp_simple.

\x00\x01\x02\x03\x04\x01\xc0\xa8\x01\x06\xd2\x04\x00
msg[0] - attack id

msg[5] - target count
msg[6] - target IP octet 1
msg[7] - target IP octet 2
msg[8] - target IP octet 3
msg[9] - target IP octet 4
msg[10] - target port lsb
msg[11] - target port msb
msg[12] - end marker

For the attack_http method, we had to change the attack_id in the C&C message. As shown below, the HTTP headers were randomized for every request.

Securing IoT Devices Requires Safe Visibility

IoT devices have specific peculiarities, such as limited processing power, that make them difficult to monitor. Resource-intensive agents, for example, can cripple their functionality. For this reason, once infected with a bot like Dark Nexus, an IoT device might require a firmware update that restores it to a clean slate in order to function properly.

To secure and properly manage your network, one of the first requirements is to have visibility of all your IoT devices.

There are technologies that automate asset identification in a way that ensures the availability of sensitive IoT assets. Our own product Guardian, for example, uses passive network traffic analysis to identify IoT devices and provide detailed information about each one. It works with our Threat Intelligence service to protect IoT and OT networks from threats such as Dark Nexus.

References:

1. Bitdefender.com: New dark_nexus IoT Botnet Puts Others to Shame
2. GitHub.com: jgamblin/Mirai-Source-Code